Hi Tomas, First disclaimer is that I'm not from Debian's security team.
On Fri, Sep 26, 2025 at 12:43:43PM +0000, Tomáš Macák wrote: > We use Debian (currently bookworm) for hosting our application. That's awesome! You might want to add yourselves in https://www.debian.org/users/, check the "Submissions" section in the end of the page. > One of our customers is performing thorough security audit test. Amongst > others they are checking SBOM file of OS and reviewing it with BlackDuck > > They came up with list of high criticality CVEs from Oracle Berkeley DB > libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: > Oracle”. They argue that package libdb5.3/5.3.28 is installed which is > affected accrding to Oracle > (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus > we’re vulnerable > > Can you please let us know, if these CVEs > > 1. Really affect Debian, but since the code is external/Oracle you cannot > fix it – marked NFU > 2. Portions of code in CVEs is not present/used in Debian libdb package > > I strongly believe it’s b) but I have very few arguments I can play with ☹ If they paid for the security assessment, isn't part of the job triaging the report to make sure the CVEs reported aren't false positives outputed by some automated tool? That's what I would ask your customer. > I understand for now I cannot simple remove libdb for now as PAM module > depends on it > > The list of CVEs: > CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, > CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, > CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, > CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, > CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, > CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, > CVE-2015-4785, CVE-2015-4786, CVE-2015-4783, CVE-2015-4764, CVE-2015-4780, > CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, > CVE-2015-4782, CVE-2015-4781, CVE-2015-4774 I did look at the first 2 CVEs in the security tracker and they read [1][2]: NOT-FOR-US: Oracle Berkeley DB (later closed source releases) So I'd guess this is true to all others, but again I feel this is part of the job of the third party doing the security assessment to verify, not yours and not secteam's. Hopefuly I was able to help somewhat on what to answer your customer. Cheers, Charles [1] https://security-tracker.debian.org/tracker/CVE-2016-0682 [2] https://security-tracker.debian.org/tracker/CVE-2016-0689
